About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved restrictions.

CVE-2019-8590: The UK’s National Cyber Security Centre (NCSC)

Archive Utility

Available for: macOS Mojave 10.14.4

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved validation.

CVE-2019-8640: Ash Fox of Fitbit Product Security

Entry added August 1, 2019

Bluetooth

Available for: macOS Mojave 10.14.4

Impact: Due to a misconfiguration in the Bluetooth pairing protocols of a Bluetooth Low Energy (BLE) version of FIDO Security Keys it may be possible for an attacker with physical proximity to be able to intercept Bluetooth traffic during pairing

Description: This issue was addressed by disabling accessories with insecure Bluetooth connections. Customers using the Bluetooth Low Energy (BLE) version of the Titan Security Key by Google should review Android’s June Bulletins and Google’s advisory and take appropriate action.

CVE-2019-2102: Matt Beaver and Erik Peterson of Microsoft Corp.

Entry added September 12, 2019

CoreAudio

Available for: macOS Mojave 10.14.4

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Impact: Users removed from an iMessage conversation may still be able to alter state

Description: A logic issue was addressed with improved state management.

CVE-2019-8631: Jamie Bishop of Dynastic

Entry added August 1, 2019

Microcode

Available for: macOS Mojave 10.14.4

Impact: Load ports, fill buffers, and store buffers in systems with microprocessors utilizing speculative execution may allow an attacker with local user access to potentially enable information disclosure via a side channel

Description: Multiple information disclosure issues were addressed partially by updating the microcode and changing the OS scheduler to isolate the system from web content running in the browser. To completely address these issues, there are additional opt-in mitigations to disable hyper threading and enable microcode-based mitigations for all processes by default. Details of the mitigations can be found at https://support.apple.com/kb/HT210107.

Additional recognition

We would like to acknowledge riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative for their assistance.

Entry added July 25, 2019

CoreFoundation

We would like to acknowledge m4bln, Xiangqian Zhang, Huiming Liu of Tencent's Xuanwu Lab, Vozzie, and Rami for their assistance.

Entry updated May 14, 2019

Kernel

We would like to acknowledge Denis Kopyrin for their assistance.

Entry updated May 14, 2019

PackageKit

We would like to acknowledge Csaba Fitzl (@theevilbit) for their assistance.

Safari

We would like to acknowledge Michael Ball of Gradescope by Turnitin for their assistance.

System Preferences

We would like to acknowledge an anonymous researcher for their assistance.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.